Read time: 8 minutes
Having been on the market for only a little more than a decade, cyber insurance remains a relatively new product with little standardization of policy language across cyber policies. Compounding this is the fact that insurance companies’ views of where risk lies and how much it costs to transfer those risks continue to evolve, resulting in continual changes to their cyber policy forms. Given the lack of standardization across policies, it is useful to think in terms of prior claims when placing a cyber policy, because the points of tension in cyber policies are often revealed when litigating cyber claims. This article outlines a few examples of claims involving cyber policy provisions that may impact the availability and extent of coverage.
Accuracy in insurance applications
Given the frequency of cybersecurity events, insurers have been engaging in heightened underwriting practices to ensure policyholders are proactively taking measures to prevent breaches before they occur. As part of the application process, policyholders are generally required to provide detailed information about their computer networks and security protocols, and failure to provide accurate information during this process may result in claim denials or attempts to rescind the policy. For instance, in Travelers Property Casualty Company of America v. International Control Services, Inc., 2:22-cv-02145-CSB-EIL (C.D. Ill. July 6, 2022), after the insured fell victim to a ransomware attack, the insurer denied coverage and sought a declaration that the cyber policy was null and void based on allegedly false information the insured provided in its policy application. According to the complaint, the insurer alleged the insured misrepresented its protocols regarding its use of multifactor authentication.
As this case demonstrates, policyholders must manage the cyber insurance application process carefully to ensure they are providing accurate and thorough information. This is typically a team effort, involving the company’s risk management, legal and information technology teams, and requires substantial preparation. Insurers often engage in “post-loss underwriting,” in which they search for potentially defective application responses as a defense to coverage when a loss or claim occurs. The only way to prevent this tactic is to be as accurate and thorough as possible in the application process.
Failure to follow minimum required practices exclusions
In a similar vein, some cyber policies contain an exclusion that bars coverage where an insured fails to maintain minimum security standards. The contours of this exclusion vary, with some policies excluding coverage where an insured fails to comply with “industry standards,” and others excluding coverage for failure to comply with certain specifically enumerated practices. The exact wording of this exclusion may be critical because certain overly broad versions of it arguably provide insurers cause to deny coverage for basically any data breach.
In Columbia Casualty Co. v. Cottage Health System, 2:15-cv-03432 (C.D. Cal. May. 7, 2015), the insurer sought a declaratory judgment that it was not required to provide defense or indemnity coverage to an insured that suffered a data breach and was subject to a class action lawsuit. The class action alleged the insured stored medical records on a system that was fully accessible to the internet but failed to take security measures to protect those medical records from becoming available to people surfing the internet. After the insurer agreed to fund a $4.125 million settlement of the lawsuit under a full reservation of rights, the insurer sought reimbursement of those funds on the ground that a “Failure to Follow Minimum Required Practices” exclusion – which precluded coverage for failure “to continuously implement the procedures and risk controls identified in the Insured’s application” – barred coverage. Among other things, the insurer alleged the insured failed to:
- Replace factory default settings to ensure that its information security systems were securely configured;
- Regularly check and maintain security patches on its systems; and
- Exercise due diligence with respect to its information security management vendor’s safeguards.
Even where policyholders are accurate and thorough in their insurance applications, if a policy contains a “failure to follow minimum required practices” exclusion, there is an opportunity for insurers to engage in the sort of post-loss underwriting that may result in a denial of coverage. The specific wording of this exclusion may have an impact on the ability of insurers to deny coverage.
- Accuracy in cyber insurance applications is crucial to preclude the argument that coverage is null and void due to misrepresentations regarding security protocols.
- Insureds should pay close attention to the language of failure to follow minimum required practices exclusions and ensure their security protocols are satisfactory.
- To avoid notice issues, insureds should implement cybersecurity incident reporting processes and negotiate for notice provisions with extended reporting periods.
- Other notable issues include prior written consent requirements, coverage for legal expenses, coverage for damaged hardware and ransomware payments.